This guide is written against Debian Etch (4.0). This release includes kernel '''linux-image-vserver-686''', so no manual patching is needed. Hence, Installation on Debian Etch is pretty easy and straightforward.

+

'''Note:''' Debian 6.0 is the final version to include precompiled Linux-Vserver kernels. In newer versions (including Debian Testing), you'll have to compile the kernel yourself or [http://linux-vserver.org/Frequently_Asked_Questions#Were_can_I_get_newer_versions_of_VServer_as_ready_made_packages_for_Debian.3F use a pre-packaged kernel]. [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574529]

−

If you need to compile your own kernel, you need to apply the vserver-version.patch. [http://www.kwu.hu/blog.php Details at 2007/Apr/25]

+

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel '''linux-image-vserver-686''', so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

+

+

If you need to compile your own kernel, you need to apply the vserver-version.patch. [http://www.kwu.hu/vserver.txt Details at 2007/May/04]

+

+

In lenny and etch the tools are for the 2.2 version of vservers, you can find on beng repository packages for the 2.3 version of util-vserver until it is integrated in debian. See

+

* [[util-vserver:Devdebianpackage]] - Info about debian v2.3 package from the community

+

* explanation on how to use this repository from: http://kernels.bristolwireless.net/ How to use the Debian Repository

Line 18:

Line 24:

Now that the host system is ready, you can proceed with [[Building Guest Systems|building guests]].

Now that the host system is ready, you can proceed with [[Building Guest Systems|building guests]].

Debian already contains vservers kernels, so no manual patching and compiling is needed.

Debian already contains vservers kernels, so no manual patching and compiling is needed.

+

{|class="wikitablenowrap"

{|class="wikitablenowrap"

!Debian release

!Debian release

Line 26:

Line 57:

!VServer version

!VServer version

|-

|-

−

| Etch

+

| Squeeze

−

| 2.6.18+6

+

| 2.6.32

−

| 2.0.2.2-rc9

+

| 2.3.0.36.29.6

|-

|-

| Lenny

| Lenny

| 2.6.26+17

| 2.6.26+17

| 2.3.0.35

| 2.3.0.35

+

|-

+

| Etch

+

| 2.6.18+6

+

| 2.0.2.2-rc9

+

|-

|-

|}

|}

+

+

The Vserver versions given above are not completely pure, they have additional patches to fix various issues.

+

+

Information on alternative Debian repositories with more functional packages is [[Frequently_Asked_Questions#Were_can_I_get_newer_versions_of_VServer_as_ready_made_packages_for_Debian.3F | contained in this section of the FAQ]].

+

+

== Issues with Squeeze's 2.6.32 Kernel and Util-vserver ==

+

+

* Util-vserver shipping with debian, does not have the symbolic link for squeeze, fixed by

+

ln -s debian /usr/lib/util-vserver/distributions/squeeze

+

+

== Issues with Lenny's 2.6.26 Kernel and Util-vserver ==

+

+

=== Hard CPU scheduling ===

+

+

This will not work in the Debian 'Lenny' Kernel, the patch used simply does not contain any of this functionality.

+

+

=== Problems due to Xattrs ===

+

+

There are two sets of issues within the Lenny kernel caused by the change in value of the Xattrs (extended attributes) applied to file in Vserver setups. The patch used in Debian Lenny uses Xattr flags which are set in positions which differ from the flags set by Debian kernels as well as most of the mainline Vserver patches. This result is that Xattrs of files in a non lenny system appear to have completely different flags in Lenny and vice versa. Since these flags are crucial to vserver hashification and chroot security, they can have devastating effects on Vserver guests and on host system security. If you have recently moved to or away from the stock Lenny Vserver kernel, have look at the symptoms below to see if any match your experiences, and apply the fixes/use another kernel as you see fit.

+

+

As of writing these issue has not been corrected within the Debian archive. These fixes must be applied whenever moving vserver guest '''from''' or '''to''' the Debian 'Lenny's vserver kernel. For more details and a more concise explanation see [http://irc.13thfloor.at/LOG/2009-05/LOG_2009-05-12.txt Bertls IRC explanation ].

+

+

==== Chroot Security Problems ====

+

+

Linux-Vserver uses file Xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. This creates issues for anyone who:

+

+

* has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

+

* has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

+

+

In effect, the barrier normally in place for guest servers is not recognised by the kernel (the chroot problem) in the situation above and/or immutable links will not function correctly (the unification problem)failing to break when overwritten) in a unified guest setup. Symptoms suffered may include:

+

+

* the possibility of vserver guest processes escaping their chroots and accessing other parts of the filesystem

+

* guest not starting

+

+

To fix the barrier flags for a current kernel, see [[Secure_chroot_Barrier#Solution:_Secure_Barrier | these instructions]]. Note that on some setups a barrier flags will appear on all directories under the guest hierarchy, and need to be unset in order to allow the servers to run. Use showattr to reveal the state of play for your guests and fix appropriately.

+

+

==== Unification Problems ====

+

+

There is a discrepancy between the immutable-unlink flag used for file unification, the process used in vhashify. This creates considerable issues for anyone who:

+

+

* has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

+

* has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

+

+

Symptoms suffered may include:

+

+

* file that cannot be deleted

+

* any process involving the writing of files in guests not working

+

* files not being unlinked on write

+

+

To fix the problem each file must be unlinked then the unification re-applied, or one could try this script submitted to [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508523 bugs.debian.org].

+

+

+

=== /proc/mounts issue ===

+

+

The vserver's /proc/mounts let appear the vserver path on the host. lsof (for example) is able to print it.

+

+

=== "Ghosts" guests ===

+

+

==== Issue ====

+

Sometimes a guests loose it's name in vserver-stats and is acting like a zombie. It's impossible to restart or kill it. Stopping all the guests with the util-vserver init.d script doesn't solve the issue. vkill --xid $CTX doesn't either.

Revision as of 20:11, 21 October 2011

Note: Debian 6.0 is the final version to include precompiled Linux-Vserver kernels. In newer versions (including Debian Testing), you'll have to compile the kernel yourself or use a pre-packaged kernel. [1]

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel linux-image-vserver-686, so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

Issues with Squeeze's 2.6.32 Kernel and Util-vserver

Util-vserver shipping with debian, does not have the symbolic link for squeeze, fixed by

ln -s debian /usr/lib/util-vserver/distributions/squeeze

Issues with Lenny's 2.6.26 Kernel and Util-vserver

Hard CPU scheduling

This will not work in the Debian 'Lenny' Kernel, the patch used simply does not contain any of this functionality.

Problems due to Xattrs

There are two sets of issues within the Lenny kernel caused by the change in value of the Xattrs (extended attributes) applied to file in Vserver setups. The patch used in Debian Lenny uses Xattr flags which are set in positions which differ from the flags set by Debian kernels as well as most of the mainline Vserver patches. This result is that Xattrs of files in a non lenny system appear to have completely different flags in Lenny and vice versa. Since these flags are crucial to vserver hashification and chroot security, they can have devastating effects on Vserver guests and on host system security. If you have recently moved to or away from the stock Lenny Vserver kernel, have look at the symptoms below to see if any match your experiences, and apply the fixes/use another kernel as you see fit.

As of writing these issue has not been corrected within the Debian archive. These fixes must be applied whenever moving vserver guest from or to the Debian 'Lenny's vserver kernel. For more details and a more concise explanation see Bertls IRC explanation .

Chroot Security Problems

Linux-Vserver uses file Xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. This creates issues for anyone who:

has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

In effect, the barrier normally in place for guest servers is not recognised by the kernel (the chroot problem) in the situation above and/or immutable links will not function correctly (the unification problem)failing to break when overwritten) in a unified guest setup. Symptoms suffered may include:

the possibility of vserver guest processes escaping their chroots and accessing other parts of the filesystem

guest not starting

To fix the barrier flags for a current kernel, see these instructions. Note that on some setups a barrier flags will appear on all directories under the guest hierarchy, and need to be unset in order to allow the servers to run. Use showattr to reveal the state of play for your guests and fix appropriately.

Unification Problems

There is a discrepancy between the immutable-unlink flag used for file unification, the process used in vhashify. This creates considerable issues for anyone who:

has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

Symptoms suffered may include:

file that cannot be deleted

any process involving the writing of files in guests not working

files not being unlinked on write

To fix the problem each file must be unlinked then the unification re-applied, or one could try this script submitted to bugs.debian.org.

/proc/mounts issue

The vserver's /proc/mounts let appear the vserver path on the host. lsof (for example) is able to print it.

"Ghosts" guests

Issue

Sometimes a guests loose it's name in vserver-stats and is acting like a zombie. It's impossible to restart or kill it. Stopping all the guests with the util-vserver init.d script doesn't solve the issue. vkill --xid $CTX doesn't either.